PSD2 AND API SECURITY WHITE PAPER
5. SECURE YOUR APIS TO SECURE YOUR BUSINESS
APIs cannot detect, prevent or respond to automated attacks,
Attackers will attempt to gain entry to the API layer via its three
and they are relatively simple to breach. By reverse engineering
vulnerable access points: the browser, mobile applications
apps that connect API endpoints, the perpetrator gains access
and API server. It is vital that your API layer is protected by
to the API and the capacity to carry out a myriad of bot attacks.
best-of-breed technology that is designed to complement existing controls such as WAFs and CDNs, while providing
Attackers will always look for the easiest point of entry and
comprehensive coverage of the APIs access points without
your bot management solution must be equipped to cover all
complex mobile SDKs.
attack vectors. APIs used to share data between banks and TPPs or mobile applications are particularly at risk of exposure
Equally, your bot management technology must adapt as
to new threats and require a more robust security solution.
user-behaviour and bot techniques evolve. To achieve this, the
JavaScript based solutions for instance, would only typically
technology must look specifically at what the bots are doing to
cover websites accessed through browsers but not API traffic
determine intent and motive.
from mobile applications or other services. WAF and CDN based solutions provided by bolt-on bot suppliers, derive from traditional approaches such as blacklisting and IP blocking and fail to provide the analysis of the bot’s behaviour and intent. This can lead to loss of confidence if legitimate users are stopped or delayed from reaching the point of conversion on your site.
NETACEA.COM
/ 7